Cybercriminals pose as tattletales about to reveal something scandalous in a malicious spam run we’ve encountered recently.

Cybercriminals crafted the spam messages to look similar to an email from YouTube. It arrives with a link which is supposedly a video posted on the said video-sharing website.

The message is written in Portuguese and roughly translates to the following:

A friend sent a video to YouTube, the following message:
Open your eyes!
Much admire the way that treats all situations!
Well, I to the chase.
I said I would find a way to prove what I have been told to you many days.
Look at this video!
The two were thinking they had nothing recording were mistaken there is the video of the two transactions recorded in the cell.
You’ll thank me later because I have done it hugs.

Clicking the link triggers the download of Video.com, which is actually a worm detected by Trend Micro as WORM_RUNOUCE.G. When installed on a system, WORM_RUNOUCE.G uses its own SMTP engine to send out email messages to the affected user’s address book. The said email comes in the following format:

FROM: [email address]
TO: {recipients name}
SUBJECT: {random name} is comming!
Attachment: PP.exe

The attachment PP.exe is a copy of WORM_RUNONCE.G. This places the affected user’s contacts at risk of getting affected by the same malware.

The intriguing nature of the message might just be enough to trigger curiosity in recipients’ minds to get them to open the email, which contains a different kind of malicious material. Both the spam email and malicious file are blocked and detected respectively by the Smart Protection Network.

The Australian Taxation Office (ATO) is calling on people to start thinking about lodging their 2008 tax returns. With this significant event on the rise, spammers are using this as bait to promote phishing mails.

The email contains a letter stating that it was from ATO. It informs the receiver that he or she is eligible to receive a tax refund. It then asks the recipient to answer the form attached to the mail, click the PRINT button, and then send it to the head office.

Observing the form attached, it uses double extension names: .PDF.HTM which is used to trick the users that they are filling up a PDF file, when it is really an HTML page.

Further studying the content of the form reveals a part where it asks the receiver’s account information, and indicates “Please enter your account information where the 568.24 will be debited.” Take note that according to the mail, the user is eligible for a tax refund. However, the spammers decided rather to fill the field by themselves.

Furthermore, the form asks for the user’s card number and PIN, which should be irrelevant if this is for a tax return.

Once the user completes the form and clicks the PRINT button, a window will appear where the user can specify settings related to the printing process. It may look like a normal process but while the document is being printed, the browser will connect to a site, sending the entered details there.

Users should be assured that not only but in special in these times of crisis, criminals will never get tired in making offers about money or other goods to mask their true intentions.

The Smart Protection Network blocks both the spam email and the phishing website.

Today we have noticed an increase in the amount of dating spam mails containing phrases such as:

I’m emailing you because I like you

wanted to let you know about my profile

you have been invited to join

The link in the spam points to an adult-dating web page that contains pictures of a woman, as well as a profile on the right corner of the screen with a huge clickable ad that says, CLICK HERE TO CHAT FOR FREE.

Following the link opens a page where the visitor is asked to register by providing an email address and password. Afterward the visitor’s browser opens a new site where he/she is prompted to create a preferred chat handle (username).

The requests for user information do not end there. The next page asks the user to enter his/her personal details:

Lastly, credit card information is requested, despite a prior statement saying that chatting is free. The site tries to justify this, saying that such is needed to prevent minors from trying to log in:

Users tempted to correctly fill up the forms from the shown web pages provide a free service to the cybercriminals as they reveal their valid email addresses, passwords, and credit card information.

The simplicity of this technique in extracting user information could indicate two things: spammers are running out of new, more intricate ideas, or that the technique remains to be quite effective despite its simplicity. We’re pretty sure it’s the latter.

Users of the Smart Protection Network need not worry about getting these spam emails, other users however are advised that the simplest, most effective way of not falling for these kind of sham advertisements is to not open emails that look suspicious, especially when the recipient is an unknown sender.

After a blackhat SEO attack, cybercriminals are again using the terrifying catastrophe of Air France Flight 447 or about China-made C919 Jumbo Jets competing with Airbus and Boeing for malicious intent. This time, spam messages are sent with an attached PowerPoint presentation, which is specially crafted to exploit a vulnerability in Microsoft Powerpoint.

The spammed emails suggest that there are images in the attached PowerPoint presentation related to both the China-made jumbo jets and the Air France Flight 447, in order to lure the user into opening the specially crafted file.

The reported circulation of photographs showing the cabin of the Air France Flight 447 has been confirmed as being a hoax, while the China-made C919 Jumbo Jets haven’t been completed yet, announced rolling off the production lines in eight years.

The specially crafted .PPT file is detected by Trend Micro as TROJ_APPTOM.C. It exploits a vulnerability in Microsoft PowerPoint that allows remote code execution. Upon successful exploitation, it drops TROJ_INJECT.AIO which in turn opens a hidden Internet Explorer window and connects to a certain URL, to download additional malicious files.

Users are strongly advised to apply the patch provided by Microsoft to avoid being victimized by this threat. The Smart Protection Network provides protection from this threat by blocking the spam messages and detecting malicious files.

URL redirection services like TinyURL have grown from almost nothing in recent years, due entirely to the success of Twitter and its 140-character limit. For most users, they represent a welcome convenience as they make their tweets, status messages, and other such space-limited posts throughout the day.

Unfortunately, cybercriminals have used such services as part of various schemes before. Earlier this week, in fact, it’s safe to say the Internet dodged a big bullet.

The database of Cligs, the #4 URL redirection service used on Twitter, was compromised sometime on Sunday night/Monday morning. According to the official Cligs blog, approximately 2.2 million redirects were edited to go to a post talking about Twitter hash tags at a blog maintained by the Orange County Register. It’s unclear who did it and why, although it might well be a case of it being done because it could be done.

While the attack caused little long-term damage, it could have been indescribably worse. Had it happen to a bigger redirection service like Bitly or TinyURL, the numbers of affected users would have been far greater. In addition, the links didn’t go anywhere malicious. It would have been just as easy for the links to go to malware – and it wouldn’t have been very hard to do so in a way that would be invisible to most users.

This could have been a far bigger problem, but thankfully it wasn’t. What it is, however, is a warning about the dangers of URL redirection. There’s not much consumers can do on their own, but providers should double-check their own security measures.